6004 errors showing up after Symantec Endpoint installs.
We noticed a while back, as soon as we upgraded some computers from Symantec Corporate Edition to Symantec Endpoint Protection, some 6004 errors showed up in the logs. We have well over 200 computers in our network and over half of them report this error, last report earlier today shows 108 computers have reported at least once instance within the past week with about a third (29) having 100 or more instances during that time. Here is what we see in the event log:
Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6004
Date: 9/22/2008
Time: 1:36:48 PM
User: N/A
Computer: REGSCANNER
Description:
A driver packet received from the I/O subsystem was invalid. The data is
the packet.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0c 00 e0 00 0e 00 00 00 ..à.....
0008: d4 e4 00 2c e2 1c c9 01 Ôä.,â.É.
0010: 40 00 00 00 00 00 00 00 @.......
0018: 00 00 00 00 04 00 4e 00 ......N.
0020: 00 00 00 00 cb 0b 00 80 ....Ë..
0028: 00 00 00 00 10 00 00 c0 .......À
0030: 00 00 00 00 00 00 00 00 ........
0038: 00 00 00 00 00 00 00 00 ........
0040: 4d 00 52 00 78 00 53 00 M.R.x.S.
0048: 6d 00 62 00 00 00 5c 00 m.b...\.
0050: 44 00 65 00 76 00 69 00 D.e.v.i.
0058: 63 00 65 00 5c 00 4c 00 c.e.\.L.
0060: 61 00 6e 00 6d 00 61 00 a.n.m.a.
0068: 6e 00 52 00 65 00 64 00 n.R.e.d.
0070: 69 00 72 00 65 00 63 00 i.r.e.c.
0078: 74 00 6f 00 72 00 00 00 t.o.r...
0080: 56 00 50 00 49 00 00 00 V.P.I...
0088: 4e 00 65 00 74 00 42 00 N.e.t.B.
0090: 54 00 5f 00 54 00 63 00 T._.T.c.
0098: 70 00 69 00 70 00 5f 00 p.i.p._.
00a0: 7b 00 39 00 45 00 38 00 {.9.E.8.
00a8: 37 00 41 00 36 00 43 00 7.A.6.C.
00b0: 30 00 2d 00 38 00 31 00 0.-.8.1.
00b8: 43 00 35 00 2d 00 34 00 C.5.-.4.
00c0: 46 00 43 00 34 00 2d 00 F.C.4.-.
00c8: 39 00 32 00 42 00 42 00 9.2.B.B.
00d0: 2d 00 32 00 41 00 38 00 -.2.A.8.
00d8: 33 00 43 00 42 00 00 00 3.C.B...
Reading the data, I get the message "MRxSmb \ Device\ LanmanRedirector
[Domain] NetBT_Tcpip-{(E87A6C0-81C5-4FC4-92BB-2A83CB
Can someone tell us how to correct this? I've spoken to Symantec Tech support on the phone about this and they refer me to Microsoft and also see messages here that say the same thing, but when I contact Microsoft, they tell me it is Symantec's problem.
Thanks!
David
Comments
I too have been seeing this error but no where near the level you are. I have seen it on less than 10% of our clients. Oddly around the same time I began to see a 4319 error about duplicate names on the network. I have not found any duplicate names nor have I solved either error.
Ok I found some more info. In the task manager the page file is huge. When I add the VM Size column view under the process tab, Rtvscan.exe is using 812 MB for virtual memory. Also the Rtvscan.exe process is always using CPU of around 4% or greater. I attemted to rename the computer to elminate the 4319 error and I receive an error stating:
The following error occurred attempting to rename the computer to "[computername]":
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again..
So I am unable to rename the computer either. The connections lead me to a Microsoft KB884020 which deals with TCP IP connections.
Are you able to rename a computer? Does your Rtvscan.exe uses a lot of virtual memory? Please let me know.
Glen
Disabled my Firewall Policies and this error went away. Perhaps there is something wrong with EndPoints Teefer2 network driver.
Thanks for the tip Cary. I have noticed that any computer that doesn't have the firewall installed such as servers and selected workstations are not receiving this error. Also I have found that it has something to do with NetBT over TCP/IP and SEP 11. We never had this problem until SEP 11 was installed and NetBT over TCP/IP has always been running. Upon disabling NetBT over TCP/IP from DHCP the error has been eliminated on any DHCP configured computers. Any static IP computer that has the firewall installed (a few workstations) are still recording the 6004 error. I will manually turn off NetBT over TCP/IP on those and watch the next few days for the 6004 error.
OK, I have confirmed it. NetBIOS over TCP/IP (NetBT over TCP/IP) and SEP11 do not get along. I enabled NetBT on a computer with the SEP11 firewall active and bingo, 6004 errors started appearing in the event viewer. I am really disappointed with this product from Symantec. It is very buggy even after several maintenance releases.
Almost all of my XP SP3 machines are experiencing this 6004 issue as well.
The same thing is happening to me as Clint said in this thread:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&thread.id=243&view=by_date_ascending&page=1
>>
Same problem, MR3 clients. Any other solution other than disabling the firewall?
Actually, I've withdrawn the firewall policy and I still get 6004's, so "disabling" the firewall isn't working. I put that in quotes because from what I've read, withdrawing the policy simply opens up all the ports and doesn't actually stop it from running on the client.
I've not found out how to stop it from running on the client once it's been installed.
You may have to actually uninstall the firewall using the Change option in Add/Remove programs, or you might get away with unchecking it at the Network Connection Properties.
Right click on Local Area Connection, go to properties, you'll see the Client for Microsoft Networks, QoS Packet Scheduler...etc...the Teefer2 can be unchecked, click OK, and it should be truly disabled at that point.
Would you like to reply?
Login or Register to post your comment.